"Marco Bodrato" <bodrato at mail.dm.unipi.it> writes:
Are branches based on the _initial_ bit size allowed? Do we think that the
multiplication will be used also for large enough numbers requiring more
recursions of Karatsuba?
If we enable Karatsuba in sec_mul, then we should not leak for operands
which require Karatsuba to recurse into itself.
I'd say that we should preferably not leak the most significant bit's
position, as that could cause concerns for some callers.
--
Torbjörn
Please encrypt, key id 0xC8601622